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ICO call for views on a direct marketing code 
of practice 


The Information Commissioner is calling for views on a direct 
marketing code of practice. 


The Data Protection Act 2018 requires the Commissioner to produce 
a code of practice that provides practical guidance and promotes 
good practice in regard to direct marketing. 


While direct marketing is an important and useful tool to help 
organisations engage with people in order to grow their business or 
to publicise and gain support for their causes, it can also be 
intrusive and have a negative impact on people if done badly. This 
can cause reputational damage to organisations and, in some cases, 
result in fines or other regulatory action for breaking data protection 
laws. 


So it is important that organisations ensure their marketing 
activities are compliant with data protection legislation (the General 
Data Protection Regulation and Data Protection Act 2018) and, 
where necessary, the Privacy and Electronic Communications 
Regulations 2003 (PECR). 


We have previously published detailed direct marketing guidance. 
The new code will build on that guidance and address the aspects of 
the new legislation relevant to direct marketing such as 
transparency and lawful bases for processing, as well as covering 
the rules on electronic marketing (for example emails, text 
messages, phone calls) under PECR. 


The European Union is in the process of replacing the current e- 
privacy law (and therefore PECR) with a new ePrivacy Regulation 
(ePR). However the new ePR is yet to be agreed and there is no 
certainty about what the final rules will be. Because of this we 
intend for the direct marketing code to only cover the current PECR 
rules until the ePR is agreed. Once the ePR is finalised and the UK 
position in relation to it is clear we will produce an updated version 
of the code which takes this into account as appropriate. 


This call for views is the first stage of the consultation process. The 
Commissioner is seeking input from relevant stakeholders, including 
trade associations, data subjects and those representing the 
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interests of data subjects. We will use the responses we receive to 
inform our work in developing the code. 


You can email your response to directmarketingcode@ico.org.uk 
Or print and post to: 


Direct Marketing Code Call for Views 
Engagement Department 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire SK9 5AF 


If you would like further information on the call for views, please 
email the Direct Marketing Code team. 


Please send us your views by 24 December 2018. 


Privacy statement 


For this call for views we will publish responses received from 
organisations but will remove any personal data before publication. 
We will not publish responses from individuals. For more 
information about what we do with personal data please see our 


privacy notice. 
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uestions 


Q1 The code will address the changes in data protection 
legislation and the implications for direct marketing. What 
changes to the data protection legislation do you think we 
should focus on in the direct marketing code? 


It would be helpful to have some clarity regarding whether the ‘soft opt-in’ approach 
under PECR is compatible with the lawful basis for processing under GDPR. The ‘soft 
opt-in’ could be considered a legitimate interest for sending marketing information. 
However, confirmation of this approach would be useful. Additionally, examples of 
the types of marketing processing that can be based on legitimate interests would be 
helpful. 


We understand that the GDPR right to object and PECR right to opt out of direct 
marketing are compatible. However, confirmation of this approach would also be 
helpful. Additionally, it would be helpful to understand whether under the right to 
erasure, enough data can be retained on suppression lists to make sure marketing is 
not accidentally sent to an individual who has opted out/objected. 

It would also be helpful to understand whether a new opt-in overrides a previous 
unsubscribe/objection request. 


Q2 Apart from the recent changes to data protection legislation 
are there other developments that are having an impact on 
your organisation’s direct marketing practices that you think 
we should address in the code? 


ME ves 
[| No 


Q3 If yes please specify 


In order to ensure compliance with the principles of fair treatment of customers 
(TCF). The FCA increasingly expects firms to proactively contact clients to advise them 
of products that could be better for them, such as deposit accounts with a better 
interest rate. We would welcome confirmation that such communications can be 


made to individuals who have opted out of receiving marketing material. 

From time to time, our firm will acquire additional businesses. It would be helpful to 
understand to what extent we are allowed to rely on the soft-opt in to provide 
information about those subsidiaries to existing clients. 


Q4 Weare planning to produce the code before the draft ePrivacy 
Regulation (ePR) is agreed. We will then produce a revised 
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code once the ePR becomes law. Do you agree with this 
approach? 


E ves 
[| No 


® 
Q5__If no please explain why you disagree 1CcO. 


Informatton Commissioner's Office 


n/a 


Q6 Is the content of the ICO’s existing direct marketing guidance 
relevant to the marketing that your organisation is involved 
in? 


L] Yes 
Mm ~o 


Q7 If no what additional areas would you like to see covered? 


There are certain kinds of marketing contact that are not covered by the guidance 
such as social media. The definition of direct marketing does not specify whether 
posting something on social media, where the audience might be known (e.g. 
LinkedIn contacts) is considered direct marketing. 
Additionally, the current direct marketing definition covers any messages which 
include some marketing elements, even if that is not their main purpose. Some more 
context surrounding this would be helpful. For example, a call may be made to a client 
for administrative purposes, however, on making the call, we become aware the 
client is in the wrong product and we want to explain the other options available to 
them. In this example, we are complying with our regulatory obligations but the client 
may have opted out of receiving marketing information. 
In relation to business to business communications, it would be helpful to understand 
how emails sent to an individual’s professional email address (e.g. 

are viewed under GDPR and PECR. The current 
guidance would indicate that the individual may need to opt-in. However, in many 
cases, there is not a general email to contact (e.g. info@abcfirm.org). 
Additionally, in relation to business to business communications, the current 
examples for corporate subscribers and on-corporate subscribers is narrow and 
should be expanded to explain how different types of firms (e.g. LLPs, credit unions, 
trusts, clubs and societies) should be considered under PECR and GDPR. 
There is very little in the current code regarding self-generated target name lists. 
Whilst it mentions Lead Generation & Marketing Lists it notes that these can be 
formed in house “from customer contacts” or be a list of prospects that has been 
“bought” in. Additionally, how are lists generated from information already in the 
public domain (e.g. utilising email addresses listed on LinkedIn, company website, and 
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Companies House) viewed under PECR and GDPR. If this is information someone has 
expressly made public can it be used for marketing purposes. 

We would be interested to understand how contact lists brought over from previous 
employment would be viewed under PECR and GDPR. The area in which our firm 
operates is highly customer service focused and many clients will follow their 
relationship manager from firm to firm because of the personal relationship built up. 
New joiners to the business might bring a client contact list with them in the 
knowledge that those clients are likely to follow them to their new company. How 
such a scenario would be viewed under GDPR and PECR. Is it reasonable to argue that 
contact can be made based on legitimate interests and the clients would reasonably 
expect to hear from the individual? Additionally, it would be helpful to understand the 
expectations regarding how long Target/Marketing Lists should be retained. For 
example, where a non-complete clause exists in an employee contract would it be 
reasonable for them to retain the list until the non-compete period has passed. 

It would be helpful if the new code could provide some guidance on future-proofing 
marketing strategies. For example, where the medium for certain marketing 
campaigns changes from postal to electronic. Guidance on the steps businesses 
should take when they wish to move a marketing strategy from postal to email would 
be helpful. Specifically, would new consents be required simply because a new 
contact method is being used. 


Q8 Isit easy to find information in our existing direct marketing 
guidance? 


L] ves 
E No 


Q9 If no, do you have any suggestions on how we should 
structure the direct marketing code? 


It would be helpful if business to business guidance was in one place as opposed to 
dotted around separate sections. 

It would be valuable for the guidance to include a decision tree to help organisation 
assess compliance. Such a decision tree should consider the types of relationship 
(client, business to business, third party), the lawful basis for processing and the 
method of contact (email, post, telephone etc.). 


CO. 


Informationr Commissioner's Office 


Q10 Please provide details of any case studies or marketing 
scenarios that you would like to see included in the direct 
marketing code. 


e Anew staff members joins a company with a contact list. How should they contact the 


clients? How long can they retain the data? Does the firm have a legitimate interest 
given that it likely the client is expecting to be contacted by the staff member? 


Direct Marketing Code - Call for views 
20181112 v1.0 


e Creating target/marketing lists from information already made public by the data 
subjects. 


Q11 Do you have any other suggestions for the direct marketing 
code? 


n/a 


About you 


Q12 Are you answering these questions as? 
A public sector worker 

A private sector worker 

A third or voluntary sector worker 

A member of the public 

A representative of a trade association 
A data subject 

An ICO employee 

Other 


OOU E 


If you answered ‘other’ please specify: e 


as CO., 


Information Commissioner's Office 


Q13 Please provide the name of the organisation that you are 
representing. 


Arbuthnot Latham & Co., Limited 


Q14 We may want to contact you about some of the points you 
have raised. If you are happy for us to do this please provide 
your email address: 


_——— SCC 


Thank you for taking the time to share your views and experience. 
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